3

Narrowing down from a broad topic, i have a specific question (maybe a little bit 'tin-foil hat').

This question is regarding the best practices of securing data transmitted in a post request between the client and server. The background is a web app I'm developing to learn more about node and express js.

Although the example i'm using is for login credentials it really could be about any information being transmitted in a post request from a form submit to an express server.

example: client submits form data through a button click event on the client. I'm using vue for the front end, but this is a generic question. On the client page i'm also using (inside an async function):

const resp = await axios.post("http://someurl.com/login", {client:email, pw:pw});

in chrome developer tools on the network tab i can see the request payload. In the example it looks like:

{client:"some email address", pw:"some password"}

Would it be better to transmit the payload already encrypted / encoded? Then have it decrypted / de-encoded on the server? For transmitting sensitive information, is it better to use a signed cookie?

The plan, should i ever get through all of this is to use let'sEncrypt for HTTPS.

Is it reasonable to only rely on HTTPS for protecting this type of payload?

For reference, on the express server, password gets hashed and compared with a hashed version from a database. I've read about Helmet, and csurf and intend to use them in the final product as well. There's a lot of great information in this answer. Which is incredibly awesome and talks about the importance of HTTPS over HTTP.

Any additional references / thoughts / practical considerations are appreciated.

j_unknown
  • 55
  • 1
  • 8

1 Answers1

2

Using HTTPS will encrypt your payload between your client and the server. Any javascript handling on the front end can be circumvented by users with enough knowledge so all frontend is mainly there for is to facilitate a better user experience. Password confirmation checking, correct fields filled out etc.

Your main source of security will be your eventual LetsEncrypt HTTPS certificate and your hashing and salting applied at the server end. As you correctly surmised HTTP send passwords in clear text which is bad. As a warning though even HTTPS can be defeated if somebody wants it bad enough with a number of techniques to high jack Certificate Authorities (I believe Root CAs should be offline anyway) or modify trusted certificates on a users PC.

Although it does depend on the amount of effort required by the hacker vs potential return hence the more you are trying to protect the greater the security required before it becomes not worth the effort for any potential hacker to attempt to circumvent the security of a particular site. (Reputation hacks aside of course)

Hope this helps.

Kristian Sigston
  • 36
  • 2
  • Thanks for your input. I thought as much, but wanted to see if there are other additional steps to take in securing the payload of a post request. From what I've read and what you've confirmed here, HTTPS is the default standard for securing data in transit. Additional steps could border on 'getting too clever'. I'm going to leave this open a few more days to see if anyone else has a thought. – j_unknown Nov 04 '18 at 16:32
  • Thanks Kristian for your answer, making as answered. – j_unknown Dec 02 '18 at 15:16